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A DIGITAL SIGNATURE SCHEME FOR LONG-TERM 

SECURITY 

DIMITRIOS POULAKIS AND ROBERT ROLLAND 



Abstract. In this paper we propose a signature scheme based on two in- 
tractable problems, namely the integer factorization problem and the discrete 
logarithm problem for elliptic curves. It is suitable for applications requir- 
ing long-term security and provides a more efficient solution than the existing 
ones. 
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1. Introduction 

Many applications of the Information Technology, such as encryption of sensitive 
medical data or digital signatures for contracts, need long term cryptographic secu- 
rity. Unfortunately, today's cryptography provides strong tools only for short term 
security [5]. Especially, digital signatures do not guarantee the desired long-term 
security. In order to achieve this goal Maseberg fTf] suggested the use of more than 
one sufficiently independent signature schemes. Thus, if one of them is broken, 
then it can be replaced by a new secure one. Afterward the document has to be 
re-signed. Again we have more than one valid signatures of our document. Of 
course, a drawback of the method is that the document has to be re-signed. 

In order to avoid this problem, it may be interesting for applications with long- 
term, to base the security of cryptographic primitives on two difficult problems, 
so if any of these problems is broken, the other will still be valid and hence the 
signature will be protected. We propose in this paper a signature scheme built 
taking into account this constraint. The following signature scheme is based on the 
integer factorization problem and the discrete logarithm problem on a supersingular 
elliptic curve. Remark that these two problems have similar resistance to attack, 
thus they can coexist within the same protocol. The use of a supersingular curve 
allows us to easily build a pairing that we use to verify the signature. Note that 
our system is the first one that combines these two problems. 

Signature schemes combining the intractability of the integer factorization prob- 
lem and integer discrete logarithm problem were proposed but most of them have 
proved to be not as secure as claimed O [3 [TU [151 El Ull l23] . 

In section[2]we describe the infrastructure for the implementation of the scheme. 
Then we present the key generation, the generation of a signature and the verifica- 
tion. In section [3] we study the security of the scheme. In section U] we show how to 
build a elliptic curve adapted to the situation and how to define a valuable pairing 
on it. In section [5] we address the problem of the map to point function and give 
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a practical solution. In section [7] we give a complete example that shows that the 
establishment of such a system can be made in practice. 

2. The Proposed Signature Scheme 
In this section we present our signature scheme. 

2.1. Public and private key generation. A user A, who wants to create a public 
and a private key selects: 

(1) primes pi and p2 such that the factorization of n = piP2 is infeasible; 

(2) an elliptic curve E over a finite field F^, a point P G E{¥q) with ord(P) = n 
and an efficiently computable pairing e„ such that e„(P, P) is a primitive 
n-th root of 1 ; 

(3) three integers g £ {1, . . . , n — 1} with gcd(.g, n) = 1 and a, 6 G {1, . . . , (/)(?t.) — 
1} and computes Q = g"'P, r = g^ (mod n) and R = g'^^^^'P; 

(4) two hash functions, H : {0, 1}* — s>< P >, where < P > is the subgroup of 
E(¥g) generated by P, and h : {0,1}* ^ {0, . . . ,n - 1}. 

A publishes the elliptic curve P, the pairing e„ and the hash functions h and H. 
The public key of A is (g, P, Q, R, r, n) and his private key (a, b,pi,p2). 

2.2. Signature generation. ^ wants to sign a message m G {0, 1}*. Then he 
computes 

S = ff'^'i/Cm) 
and 

s = bh{m) + a — ab mod '/'(fi). 
Let x(S') be the x-coordinate of S. The signature of m is the couple {x{S), s). 

2.3. Verification. Suppose that {x,s) is the signature of to. The receiver deter- 
mines y such that E = (x, y) is a point of E{¥q). He accepts the signature if and 
only if 

e„(±5^S,P) = e„(r"(™)iJ(m),Q) 
and 

g'P = r''(™)p. 

Proof of correctness of verification. Suppose that the signature (x, s) is valid and 
S = (cc, y) is a point of E{¥q). Then E = ±5* and so, we get 

e„(±.g^E,P) = e„(5^5,P) = e„(5'"^(™)+'^-"V'i^M,^) = e„(r''(™)i/(m), Q) 
and 

qS —h{m) p __ h(m)b+a — ab —bh{m) p __ a—abp __ p 

Suppose now we have a couple (S*, s) such that 

e„(g^5, P) = e„(r"(™)iJ(m), Q), g^P = r"(™)p. 

Since H{m),S G< P >, there are u,w G {0, . . . ,ri — 1} such that S* = wP and 
Him) = vP. Then we get 

e„((/M-r"(™)i;5«)P,P) = l. 

The element en{P, P) is a primitive n-th root of 1 and so, we obtain 

g'u = r'^^'^^g'^v (mod n) 
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whence 

On the other hand, the equahty 

imphes 

and so, we get 

uv~^ = g"''' (mod n). 
Hence, we obtain 

s — bh{m,) + a - ab mod (j>{n), S — g'^''H{m), 
whence we have that {x{S), s) is a signature for m. 

3. Security 

We remark that if an attacker wants to compute a and b from the pubHc key, he 
has to compute either the discrete logarithm of Q and R to the base P and next to 
calculate a discrete logarithm modulo n or to compute the discrete logarithm of r 
to the base g, the discrete logarithm of one of Q and R to the base P, and next a 
discrete logarithm modulo n. Thus, he has to compute at least a discrete logarithm 
in the group < P > and two logarithms modulo n. Note that an algorithm which 
computes the discrete logarithm modulo n implies an algorithm which breaks the 
Composite Diffie-Hellman key distribution scheme for n and any algorithm which 
break his scheme for a non negligible proportion of the possible inputs can be used 
to factorize n [181 [2], 

Let p{d, a) be the smallest prime of the arithmetic progression {a + kd/k > 0}. 
Put 

p(d) = max{p((i, a)/ 1 < a < d, gcd(a,d) = 1}. 

In 1978, Heath-Brown |i9j conjectured that p{d) < Cdllogd)"^. We shall use this 
conjecture in order to show that we can construct a supersingular elliptic curve 
having a subgroup of order n in polynomial time. 

We consider the arithmetic progression Anj + An — 1 {j — 0,1,2,...). The 
above conjecture implies that there exists a prime q < C4ri(log4n)^ such that 
g = 4n — 1 (mod An). Hence there is j < C(log4n)^ such that q — Anj + 4n — 1, 
whence q + 1 — 4n(j + 1). Thus, we can find the prime q in polynomial time, using 
a primality test 0((logn)^) times. Moreover, since q = 3 (mod 4), the elliptic curve 
y^ — x^ + X on. ¥q is supersingular. 

Suppose now there is an oracle O such that given a public key and a message m 
provides a signature for m. 

Let n be an integer which is the product of two (unknown) primes. We shall 
use the oracle O in order to factorize n. Let E be an elliptic curve as above and a 
point P G E{¥q) of order n. Furthermore, we consider g,a,b G {1, . . . , n — 1} and 
we compute r = g^ mod n, Q = g°-P and R = g°'~°'^P. So, we have the public key 
{g,P,Q,R,r,n) for our system. Then O gives signatures {Si,Si) for the messages 
rrii (i = 1, . . . ,fc) and so, we have Si = bhinii) + a — ab mod 4>{n). It follows 
that (f>{n) divides the gcd d of the number Si — bh{mi) — a + ab {i — 1, . . . , k) and 
hence (f>{n) is among the divisors of d. Note however that, assuming the numbers 
Si — bh{mi) — a + ab follow the uniform distribution, the probability that two such 
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numbers has gcd > (t>{n) is quite small. Thus, </'(«) can be easily com.puted and so 
the factorization of n. 

Let Gi and G2 be two (multiplicative) cyclic groups of prime order p; gi is a 
fixed generator of Gi and 52 is a fixed generator of 6*2; ip is an isomorphism from 
G2 to Gi, with ■0(32) = 31 • We recall the following problem [3]. 

Computational co-Diffie - Hellman on (Gi,G2). Given 72, 7^ £ G2 and 

/i e Gi as input, compute h"' G Gi. 

The best known algorithm for solving the above problem is to compute discrete 
logarithm in Gi. 

Assuming that pi and p2 are known, we consider Pi 6 E{¥q) with order pi. 
We take gi G {!,... ,pi — 1} and a, 6 £ {1, ... , 0(n)} and we compute Qi — gfPi, 
R^ = gf-"''^* and r, = g,^ mod p, (« = 1, 2). 

Let 5,r £ {1, . . . , n — 1} such that g = g^ (mod pi), r = r,; (mod pi), {i = 1, 2). 
We set P = Pi + P2, Q = Qi + Q2 and R^Ri+ R2. Thus 

g = gi + g2 = 5?a + 32^2 = g'^p 

and 

R = Ri + R2^ gl'^^Pi + .9r''^^2 - g'^^'^^'P. 
Therefore, (g, P, g, _R, r, n) is a public key for our signature scheme. 

We apply O on (g, P, g, _R, r, n) and m G {0, 1}*, and we get the signature (S*, s) 
for TO. Thus, we have 5 = g'^''H{ni), whence it follows g'^r~'^^™''^ S — g'^H{ni). Set 

5 = Si + S2 and H{Tn) ^ Hi + H2, where S^,Hi G< P, > (i = 1,2). Then, we 
have gfr^ Si — gfHi, and so, gfr^^ Si is the solution of the computational 
problem co-Diffie- Hellman with 72 = Pi, a = gf and h = Hi {i ^ 1,2). 

4. The elliptic curve and the pairing 

In this section we show how we can construct an elliptic with the desired prop- 
erties in order to implement our signature scheme. This task is achieved by the 
following algorithm: 

(1) select two large prime numbers pi and p2 such that the factorization of 
Pi~l, P2^1 are known and the computation of the factorization oin — piP2 
is infeasible; 

(2) select a random prime number p and compute m — ord„(p); 

(3) find, using the algorithm of [4], a supersingular elliptic curve E over Fp2m 
with trace t — 2p™; 

(4) return Wp2m and E. 

Since the trace of £■ is i = 2p", we get |£'(Fp2„.)| = (p™ - 1)^. On the other 
hand, we have m — ord„(p), whence n\p™ — 1, and so n is a divisor of |£'(Fp2m)|. 
Therefore _E(Fp2m) contains a subgroup of order n. 

By [4, Theorem 1.1], we obtain, under the assumption that the Generalized 
Riemman Hypothesis is true, that the time complexity of Step 3 is 0((logp^™)'^). 
Furthermore, since the factorization of (/^{n) = {pi — l)(p2 — 1) is known, the time 
needed for the computation of m is 0((logn)^/loglogn) [131 Section 4.4]. 

For the implementation of our signature scheme we also need a point P with 
order n and an efficiently computable pairing e„ such that en{P, P) is a primitive 
n-th root of 1. The Weil pairing does not fulfill this requirement and also, in many 



A SIGNATURE SCHEME 5 

instances, the Tate pairing; the same happens for the eta, ate or omega pairings 
[Tl[T0l[22]. Let e„ be one of the previous pairings on E[n]. FoUowing the method 
introduced by E. Verheul [20J , we use a distortion map (f) such that the points P and 
(j>{P) is a generating set for E[n] and we consider the pairing e„(P, Q) = e„(P, 4>{Q)). 
The algorithm of [7l Section 6] provides us a method for the determination of P 
and (j). 

Another method for the construction of the elhptic curve E which is quite efRcient 
in practice is given by the foUowing algorithm: 

(1) draw at random a prime number pi of a given size I (for example I is 1024 
bits); 

(2) draw at random a number p2 of size I; 

(3) repeat P2 = NextPrinic(p2) until 4piP2 — 1 is prime; 

(4) return p = '^PiP2 — 1- 

It is not proved that this algorithm will stop with a large probability. This is 
an open problem which is for pi = 2 the Sophie Germain number problem. But in 
practice we obtain a result p which is a prime of length 21. 

Since p = 3 mod 4, the elliptic curve defined over Fp by the equation 

y = a; + ax, 

where —a is not a square in Fp, is supersingular with p + 1 = 4pip2 points. By 
pn Theoreme 2.1], the group E{¥p) is either cychc or E{¥p) ~ Z/2pip2Z x Z/2Z. 
In each case the group E{¥p) has only one subgroup of order n ~ P1P2, and this 
subgroup is cyclic. 

If e„ is one of the previous pairings on E[n], then we use the distorsion map 
4>{Q) = 4>{x,y) = {~x,iy) with i^ = —1 (cf. [TT]) and so, we obtain the following 
pairing: en{P,Q) = e„(P, ^(Q)). 

5. The map to point function 

Let G be the subgroup of order n — piP2 of E{¥q) introduced in the previous 
section. In order to sign using the discrete logarithm problem on this group, we have 
to define a hash function into the group G, namely a map to point function. This 
problem was studied by various authors giving their own method, for example in 
[3] or [12]. We give here the following solution. Let us denote by \n\ = [log2(n)J + 1 
the size of n. Let h he a. key derivation function, possibly built using a standard 
hash function. We recall that h maps a message M and a bitlength / to a bit string 
h{M, I) of length I. Moreover we will suppose that h acts as a good pseudo-random 
generator. Let Q be a generator of the group G. Let us denote by (Tj)i>o the 
sequence of bit strings defined by Tq = and for i > 1 

Ti = Uu ■ ■ ■ Uq, 

where i = X]i=o '^J^"' ^^'^ ^m = 1- 

To map the message tti to a point H(m) we run the following algorithm: 

i:=0; 
Repeat 

k := h{m\\Ti, \n\); 
i := i + 1; 
Until k < n; 
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Output H{M) = k.Q; 

This Las Vegas algorithm has a probabihty zero to never stop. In pratice this 
algorithm stops quickly, namely as 21"'^^ < n < 21"' then the expected value of the 
number of iterations is < 2. If one can find a collision for H it is easy to find a 
collision for h. 

6. Performance Analysis 

In this section we analyze the performance of our scheme. The computation of 
s requires the computation of the hash value h(m), two modular multiplications 
bh{m),ab (mod 4>{n)), and finally a modular subtraction. The computation of S 
needs a modular exponentiation g"^^ (mod n) and the computations of H{m) and 
g'^''H{m). Note that the computations of a — a6 (mod 4>{n)) and <?"'' (mod n) can be 
done off-line. Thus, the signature generation requires only the computation of the 
hash values h{m), H{m), a modular multiplication, a modular addition and a point 
multiplication on the elliptic curve. Hence, we see that the signature generation 
algorithm for our scheme is quite fast. 

The signature verification needs two modular multiplications, four points mul- 
tiplications on the elliptic curves, two pairing computations and the computations 
of the hash values. 

7. Example 

In this section we give an example of our scheme. We consider the 256-bits 
primes 

Pi = 664810154161090130922129022943767028 
35774195899207559806860541669578637494231 
and 

P2 = 115738576089152909314582339834842248600 
964273864643984203082855344579907038313. 
Thus, we have 

n = 7694418061221480574591795362863949897453901238591237288218960 
73489112031191771739492678882017122636619912324577778582190244785 
4995757079440397354833472303. 
The number 

q = Apip2 - 1 = 3077767224488592229836718145145579958981560 

49543649491528758429395644812476708695797071552806849054 

64796492983111143287609791419983028317761589419333889211 

is a prime. Since q = 3 (mod 4), the elliptic curve E defined by the equation 

y'^ ^ x^ + X over ¥q is superesingular. The point P = {x{P), y{P)), where 

x{P) =24923438302879103041550933768873817553815859007663697223031249 
1954089508938594293101431086136135995118826706761382555145184472 
19689120752272772341649471097 
and 

y{P) =737996997348676496665860701704072193490435615382792210827517600 
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53853975535811642226331502606869434233624734779779132109106217320 

98503146107614456038383100 

has order n = pip2- 
We take g = 2, 

a = 2^56 + 2^ + 1 = 1157920892373161954235709850086879078532 

69984665640564039457584007913129640449 
and 

b = 2^28 ^ 2100 + 1 ^ 340282368188589063691604008928471416833. 
We have 
r = 2^ mod n = 6060473831180419028002527544274466669204983610931948163 
0443372486036335615842187469452441526711228464764659030012702057391799 

4700502444986860669431 1 195640, 

2" niod n = 30170327810598461233195990938464557925983833005888756028098 

11232191097667270756706255964182155241639553199078545733822454265640 

948748520452895571215190867 

and 

2°(i"'') mod n ^ 690123530133273230626309389424846277148918273893781109989 
3935523975261846628680897065414699668317030484535099301214764389216498 
622653557732787251147641864. 
We consider the points Q = 2°-P = {x{Q),y{Q)), where 

x{Q) = 72602489437435104105970705804391866233125909936984972829 
8940696371605185217447754783574707404696665922982911135520666 

7689244366615968601129874346167442208, 

y{Q) = 180478952381617534858771173117408315328111949924113880 

2179335269409050631413675108169733886226831548047728894457761 

5443538174923719718185915981630635761798 

and R == 2"-"*P == {x{R),y{R)), where 

x{R) = 1015118668943965456705851882396491515571796697273863218 

55694497591433958158555098408768620625614580819753284158039188 

66764912971271957844142196652521538840, 

y{R) = 11830609568816187455064602957532997672345403803742470622 

163211050426407526147503476874128489377669604873066020056701553 

914845581133039809142240526482663137. 

Therefore {2,P,Q,R,r,n) and {a,b,pi,p2) are a pubhc key and the corresponding 
private key for our signature scheme. Moreover, we can use the Tate pairing with 
the distorsion map (j){x,y) = {—x,iy) with i^ = —1. 
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8. Conclusion 

In this paper we defined a signature system based on two difficult arithmetic 
problems. In the framework chosen, these problems have similar resistance to known 
attacks. We explained how to implement in practice all the basic functions we need 
for the establishment and operation of this system. This strategy has an interest in 
any application that includes a signature to be valid for long. Indeed, it is hoped 
that if any of the underlying problems is broken, the other will still be valid. In this 
case, the signature should be regenerated with a new system, without the chain of 
valid signatures being broken. 
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